When Edward Snowden disclosed the extent of US government surveillance of private communications taking place in the US and elsewhere in 2013, it is unlikely that he would have anticipated that his actions would lead to a potential breakdown in electronic commerce between the US and Europe. Yet with the opinion of the Court of Justice of the European Union (ECJ) on October 6, 2015, in the case of Schrems v. Data Protection Commissioner, which concerned whether transfers of personal data made by Facebook from the EU to the US under the Safe Harbor were legal, that is precisely where we find ourselves. In its decision, the ECJ officially invalidated the US Safe Harbor as a viable solution for US companies to comply with Article 26 of the EU Data Directive, which only allows for transfers of personal data from the EU to other jurisdictions where “adequate protection” is present under national law or other arrangements. The rationale for the court in Schrems was that the extent of US government surveillance of private communications in the US was not compatible with the rights of EU residents to control their personal data.
Since 2000, when the European Commission first declared that transfers from the EU to US companies under the Safe Harbor provided adequate protection, thousands of US companies have relied on the Safe Harbor for the legality of their electronic commerce with the EU. The Schrems decision voids these arrangements, sending legal departments of companies across the EU into consternation as they search for other ways of legally protecting their data flows from the EU.
Unfortunately, easy solutions may not be in sight anytime soon for many transfers. The invalidation of the Safe Harbor was not the only fallout from the decision. More significantly, local data protection authorities in the EU Member States (DPAs) were empowered by the holding in this decision to examine de novo other arrangements previously found adequate by the EU Commission. This would include other common methods relied upon by U.S. companies in transferring data, such as the so-called Model Contracts or Binding Corporate Rules approved by the EU Commission. Because Model Contracts and Binding Corporate Rules do not address the Snowden issues any better than Safe Harbor, these too are expected to come into question.
A replacement Safe Harbor or other short-term solution is not expected soon, as the problems here center on a government-to-government level, involving the clash of the US “national security” and the EU “human rights” approaches to data privacy. For now, each US company receiving personal data from the EU should carefully examine other available means of compliance with the EU Data Directive in its specific circumstances. For example, where the data subject himself is requesting a service that logically involves transfer of his data to the U.S., such as mailing a package to the U.S., then the “necessary for the performance of a contract” exception to Article 26 would apply. Similarly, if the data subject initiates sending his data to a company that he knows is located in the U.S., then the “unambiguous consent of the data subject” exception may apply. The trouble comes when the reason for the transfer is that the company receiving the data has structured its operations such that data travels to the U.S. when this is not strictly necessary to carry out services requested by EU residents, where the EU resident is not given a choice whether to send his data to the US or not. This situation – which applies to many companies with global operations whose only data servers are located in the U.S. — is the circumstance that the Safe Harbor and the Model Contracts were designed to address.
Another solution for larger US companies may be the Binding Corporate Rules, which involve company-wide adoption of privacy practices that are then approved by the local DPA where transfers originate. For global companies, this takes on great complexity, expense and time because the approval of the DPA of each Member State where transfers originate must be involved. It is not a practical solution for many of the US companies who had certified under Safe Harbor, over half of which are small or medium-sized businesses.
A final idea that some U.S. companies should consider is restructuring their data flows to eliminate unnecessary data flows out of the EU to the U.S. For example, where customers are using hosted SaaS services provided by a U.S.-based licensor, one can ask whether hosting EU customers from a EU-based server would be a more economical way to solve this compliance issue. This will not be a workable solution, however, for all data flows from the EU for U.S. companies, particularly in the case of employee data for global companies with U.S. headquarters.
Where a company determines that the options above are not feasible and that the Model Contract approach is their most attractive remaining avenue to compliance, the company should be aware that unlike transfers under Safe Harbor, the local DPA in the Member State where their EU transfers originate may require submission (and approval in many cases) of these contracts – legally speaking, before the onset of any transfers. In many cases, additional legal or procedural requirements are imposed on the exporting and importing companies by local DPAs, and U.S. companies should be prepared for requirements of private rights of action for EU data subjects and audits rights by DPAs. These are the very fabric of EU data protection law, though still unfamiliar and hard to swallow for U.S. companies.
Finally, there is some good news for worried U.S. companies. The EU DPAs, newly empowered by the Schrem decision, are just as unprepared for this development as are the former Safe Harborite U.S. companies. Understaffed and underfunded, the EU DPAs are unlikely to embark on a wave of prosecutions of U.S. companies in the wake of this decision. Many of them, including those in the UK, Italy and Spain, rapidly posted statements after the Schrem decision indicating their willingness to work with U.S. companies to find other compliance solutions in light of the decision.
However, there is new pressure on these regulatory authorities to investigate complaints by EU residents, which now will likely always include claims of “inadequate protection” under Safe Harbor or even Model Contracts. The best defense for U.S. companies is a great offense, in handling any complaints or queries about data privacy by EU residents with the best possible treatment, and a full panoply of disclosures of the many positive measures taken by the company in order to protect personal data received in the U.S. The time to begin preparing these disclosures, specific to your company and circumstances, is now.
 Maximilian Schrems v. Data Protection Commissioner (Court of Justice of the European Union, October 6, 2015), Case C-362/14.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Data Directive”).
 Data Directive, Article 26(2).
 Data Directive, Article 26(1)(c).
 Data Directive, Article 26(1)(a).
 IAPP Panel.
Author Kim Verska, is an attorney in Atlanta and head of the Data Privacy and Security team at Culhane Meadows. She has been advising companies from the Fortune 100 to the newest startup in US-EU data privacy issues since the inception of Safe Harbor in 2000. Her full biography is here.
For assistance with U.S.-EU data privacy compliance issues, contact your Culhane Meadows attorney or send a message to firstname.lastname@example.org. The Data Privacy and Security Team of attorneys at Culhane Meadows have been assisting clients with these and other cross-border data privacy and security issues since the inception of the Safe Harbor and the related laws in the US, EU and elsewhere. As always, due to its cloud-based business model, Culhane Meadows attorneys provide clients with advice from BigLaw quality attorneys at New Economy levels of service.